OpenID v.Next Core Protocol Charter

SitG Admin sysadmin at shadowsinthegarden.com
Mon May 24 04:50:42 UTC 2010


>What is Facebook could send a message logging out users from Google 
>and Microsoft without the users consent?

I see an identity correlation attack where the OP is offering 
anonymous Identities as requested but the user is not availing 
themselves of this for any non-secure site: if you want to test 
whether a user of site B (insecure, non-anonymous Identity) is also 
currently active on site A (secure) as an anonymous user, keep the 
session active and then suddenly initiate single-sign-out from A, 
seeing if the activity on B also ceases.

-Shade


More information about the specs mailing list